MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348
SHA3-384 hash: ed015985d4d85db0a8d034d396910687d8831f192234d1a2b6287a41813870dbd49442299d1d37cf57b1e208c13d634c
SHA1 hash: 0b02df4960e089ff416988b65c7ae5e45a024afe
MD5 hash: 659c58b8711443c05cc9ca306768e07d
humanhash: winter-solar-twelve-wisconsin
File name:pbW11N1N7687Z88.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:961'536 bytes
First seen:2023-03-13 10:46:40 UTC
Last seen:2023-03-14 08:02:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:K34O8lpXU5ZkXVPYSNTW5G0KrhnByZXUn5MZr90/DeVN+c74hUojJpiWXJsVKSjt:K0xNTl0KP+En57ScpRjJAWXmKo
TLSH T1E315AE4483444F2CF6E0667D30683EC62F8168DCE9AEBBEF59A7D879B5E881507C6C41
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70f0e6d4cca8f070 (15 x AgentTesla, 6 x SnakeKeylogger, 5 x Loki)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
pbW11N1N7687Z88.exe
Verdict:
Malicious activity
Analysis date:
2023-03-13 10:50:32 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/92071ebe-700c-4c9b-ab0b-1ef7ed675a94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373993/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.3796.23537.4375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/640eff2915e425e0dcc1cdb8/reports/f2f4be52-e98e-438b-b8b2-3e2ab4d3b303/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c198a32d-8300-4e16-9ff2-6c51ea7c8b3f
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192396
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 07:27:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wudnzgy3y6ie6tukxsfbjufujtgbyct4u2dxme2j2ofeew5kcnea._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230313-mvh45sca5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla payload
AgentTesla
Unpacked files
SH256 hash:
9735eb3db3bb8e63249cdc5659de544ff6fac0f9e9987b1c7b0ccac8c2aadb69
MD5 hash:
c094f82f282257c7d88030e3bc561729
SHA1 hash:
e09147f7b9874bcfbebda13c7ab6ced7d6c6ae17
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/527af8c3-f5bf-4410-b8a6-cc309d7e35d2/
Parent samples :
f0da229cd56486cb27d1465410147676261d663a62aa9e95f27fda1b2ee5a662
b78040849f2b58f1cf44d65b15df6aa282b0958cda4445f691633e39b2c644ea
7eb652a8ae8849d8b7fb0f2cc9a0b6a591874c564c7ab275fe519ba37895a43f
830259122e9c75a4977848c7a340c7a13efb927302035bf9f3460530c5f4d7dd
b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348
fd2ddd6b33014512158a83661ab481547e2b7b34a80d2c32ef05ae37826c4e42
6fe8c589727c61797e7f1be599e1b8d19d5ba37bd71d7223f866c6d94dfbaf1c
4e07c4b00b345ceb00f859475df5179802164912527f8feae6820a8ef50bb15f
ffdf5ac834d24512efa206781e9555b3a4ec7de8e27733de0b1187cf3b26fbf4
b9eef3caa6be71a2a745055198dd0243a792b8faf6314554e050c037733c7588
62dc73beb92c72827a3408e42c9220f5d33258258ff03bfc7285d02f7372eee8
df4f3740e1876d09c3d045fdcc6a6245576994091fcc7cafe4c6b7fc76428b95
SH256 hash:
b8877238b6459130d57677dcc70e394950469c7090b2e70973184d7696ee3a32
MD5 hash:
6ba7a5936360514981731ebd2d845c46
SHA1 hash:
bbe1c9f1489ebd1344a066a8f9939b2b67792186
Link:
https://www.unpac.me/results/527af8c3-f5bf-4410-b8a6-cc309d7e35d2/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/527af8c3-f5bf-4410-b8a6-cc309d7e35d2/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
41ce98c064e7c3b9f45b09f71ffab5af93c56af43effa5d4a9e36a441bbd0b2b
MD5 hash:
9c166555a252e81e1af085889235a8d2
SHA1 hash:
915cc9500f5ad121a75d175093012d8fe1fa812e
Link:
https://www.unpac.me/results/527af8c3-f5bf-4410-b8a6-cc309d7e35d2/
SH256 hash:
028f4140dd945daa23d7d4338cd4ab314a4bb55d90367fc457fa069e94abe07c
MD5 hash:
79dee853276c5dae9036c8f141a95637
SHA1 hash:
1ee824bb523994c5b4b62e172f0bcd38d21912a2
Link:
https://www.unpac.me/results/527af8c3-f5bf-4410-b8a6-cc309d7e35d2/
SH256 hash:
b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348
MD5 hash:
659c58b8711443c05cc9ca306768e07d
SHA1 hash:
0b02df4960e089ff416988b65c7ae5e45a024afe
Link:
https://www.unpac.me/results/527af8c3-f5bf-4410-b8a6-cc309d7e35d2/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b506dc9b1bc7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/373993/

Comments